University and industry researchers revealed on Monday the results of a 10-month investigation into a malicious network of surveillance software, dubbed GhostNet, that they linked to China.
The surveillance network, which targeted systems used by the offices of the Dalai Lama and Tibetan independence organizations, had infected 1,295 computers in 103 countries, almost a third of which were considered high-value targets including systems at various embassies, the Asian Development Bank and the Association of Southeast Asian Nations (ASEAN). The investigation, carried out by two teams of researchers, led back to command and control servers housed in China. The conclusions were published in a research note penned by two academic researchers at the University of Cambridge and a longer analysis published by CitizenLab, a group affiliated with the University of Toronto (corrected).
"They, the Chinese, made the mistake that they were using the intelligence for something trivial," said Shishir Nagaraja, a research fellow at the University of Illinois at Urbana-Champaign and the principal author of the University of Cambridge report. "Whether it was the Chinese military who did the hacking or other hacking groups that did it for them, becomes irrelevant."
The victims became suspicious of surveillance when, in several instances, the Dalai Lama's administrators set up a meeting between the spiritual leader and a foreign diplomat, only to have Chinese officials immediately warn the diplomat not to meet with the Tibetan leader. The incidents strongly suggest a connection between the China and the surveillance network that was discovered by the researchers, Shishir said.
This is not the first time that cyber espionage attacks have led back to China. Government officials in Belgium, Germany, India, the United Kingdom and the United States have all warned that attacks emanating from China have targeted sensitive networks in their countries. In 2006, attacks from China targeted Taiwanese pro-independence and business groups in the United States. The U.S. Department of Defense has flagged China's pro-information warfare strategy as a danger to the United States' security.
The biggest lesson from the attacks, however, is that they are easy to do, Shishir told SecurityFocus. The attackers used very targeted e-mail messages with malicious attachments to compromise the victim's computers and gain beachheads with the offices of various Tibetan officials. Such attacks are difficult to stop, especially when paired with malware that is designed to get around standard antivirus defenses, he said.
"You need better technology but a bigger component is discipline (on the part of the users)," Shishir said. "We need low cost defenses for non-government organizations, companies and the government, and that is something that the Obama administration has to consider in its current cybersecurity review."
CORRECTION: The article incorrectly described the organization of the research effort to track down the malicious surveillance network. The University of Cambridge researchers worked independently of the CitizenLab researchers and produced a different report.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos